5. INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM
The German Corporate Governance Code (the “Code”) recommends disclosures on the internal control and risk management system. These go beyond the statutory requirements for the management report and are not included in the auditor’s review of the content of the management report (“non-management report-related disclosures”). In chapter 5 “Internal control and risk management system”, they are thematically assigned to the main elements of the internal control and risk management system and are separated from the disclosures to be audited by separate paragraphs and marked accordingly as “unaudited”.
Internal control system (unaudited)
The internal control system (ICS) of United Internet AG covers the entire organization and serves to maintain the functionality and efficiency of business processes, the reliability of operational information, the safeguarding of assets, and compliance with regulations. To this end, the controls carried out include adherence to planned processes, the “four-eye principle”, and the separation of functions. The controls are defined on the basis of uniform categorizations for each process and are carried out both centrally in some cases and decentrally throughout the Group. Defined processes, which involve those responsible in the specialist areas as well as process experts, ensure that process and organizational risks are countered in a preventive manner. Together and in cooperation with Risk Management, all units of the Group assess if there are any organizational and process risks and whether these could have an impact on the ICS. The ICS is regularly enhanced, also with the involvement of experts. Monitoring is based on the three pillars of Risk Management, Corporate Audit and external auditors. Corporate Audit evaluates and improves governance processes and risk management and also assesses the appropriateness and effectiveness of the ICS by conducting regular spot checks.
Accounting-related internal control and risk management system
In accordance with section 289 (4) and section 315 (4) German Commercial Code (HGB), United Internet AG is obliged to describe the main features of its accounting-related internal control and risk management system in its Management Report.
United Internet AG regards risk management as part of its internal control system (ICS). The ICS is understood as an ongoing process comprising organizational, controlling, and monitoring structures to ensure permanent compliance with legal and corporate requirements.
The Management Board of United Internet AG is responsible for the scope and structure of its ICS and takes account of the Company’s specific requirements. The monitoring of the ICS’s effectiveness is one of the duties of the Supervisory Board of United Internet AG, which is regularly informed by the Management Board about the status of the ICS and the findings of the Company’s Internal Audit system. Within the United Internet Group, the Corporate Audit department is responsible for independently auditing the appropriateness, effectiveness, and functionality of the ICS and has been granted extensive rights with regard to information, examination, and access in order to exercise its duties. Its audits are based on a risk-oriented audit plan which also includes regular audits of subsidiaries. In addition, the Corporate Audit department conducts fundamental audits regarding the proper functioning of important asset and inventory stock-taking. In addition, those areas of ICS of relevance for financial reporting are audited with regard to efficiency by the external auditors as part of their risk-oriented audit approach.
The accounting-related ICS is continuously being developed and comprises principles, procedures, and measures to secure the effectiveness, economic efficiency, and compliance of the accounting system and to ensure that the relevant laws and standards are observed. During preparation of the Consolidated Financial Statements, the ICS is used in particular to ensure the application of International Financial Reporting Standards (IFRS), as endorsed by the European Union, and the additional provisions under commercial law pursuant to section 315e of the German Commercial Code (HGB). When preparing the Annual Financial Statements and Management Report, the ICS also helps ensure that regulations under commercial law are observed.
However, a fundamental aspect of every ICS, irrespective of its particular design, is that it cannot provide absolute safety that material misstatements in accounting are avoided or detected. This may be due, e.g., to incorrect discretionary decisions of individuals, faulty controls, or criminal acts.
The following statements refer solely to the fully consolidated subsidiaries included in the Annual Financial Statements of United Internet AG, for which United Internet AG has the direct or indirect possibility of determining their financial and monetary policy in order to derive a benefit from the activity of these companies.
The task of United Internet AG’s risk management system includes setting measures to detect and assess risks, reduce them to an acceptable level, and monitor recognized risks. A risk management system requires organized action to deal suitably with uncertainty and threats and urges employees to utilize the regulations and instruments required to ensure compliance with the risk management principles. In addition to operative risk management, it also includes the systematic early recognition, management, and monitoring of risks. The accounting-related risk management system focuses on the risk of false statements in accounting and external reporting.
Specific accounting-related risks may arise, for example, from the conclusion of unusual or complex transactions. Business transactions which cannot be processed in a routine manner are also exposed to latent risks. It is necessary to grant a limited circle of people certain scope for discretion in the recognition and measurement of assets and liabilities, which may result in further accounting-related risks.
The accounting-related ICS comprises internal controls, defined on the basis of risk aspects, for those processes which are relevant for financial reporting as well as those processes that support the IT systems. Special emphasis is placed on IT security, change management, and operational IT processes. Organizational, preventive, and detective controls are applied, which can be conducted manually or with the aid of IT. The effectiveness and efficiency of the accounting-related ICS requires highly developed employee skills. Regular training, the “four-eye principle”, and the functional separation of administrative, executive, and approval processes are indispensable for the United Internet Group. The Corporate Accounting division and other accounting departments are responsible for the management of the accounting processes. Laws, accounting standards, and other pronouncements are continuously analyzed with regard to their relevance and impact on accounting. The Group’s accounting policy sets out and communicates relevant requirements and forms the basis for the financial statement preparation process. In addition, supplementary procedural instructions such as the intercompany guideline, standardized reporting formats, IT systems and computer-aided reporting and consolidation processes support the standardized and compliant Group accounting process. The Corporate Accounting division ensures that these requirements are implemented uniformly throughout the Group. The Group companies are responsible for the orderly and timely execution of the accounting-related processes and systems and are supported by the accounting departments accordingly.
If significant control weaknesses or opportunities for improvement are detected, they are assessed and countermeasures are developed with the persons responsible to improve the effectiveness of the ICS. Implementation of the measures is monitored by the Corporate Audit department and may be the subject of subsequent audits. In order to ensure the high quality of the accounting-related ICS, the Corporate Audit department is closely involved during all stages.
Effectiveness statement (unaudited)
Based on its regular review of the internal control and risk management system, the Management Board is not aware of any circumstances at the time of preparing this Combined Management Report that would speak against or call into question the appropriateness and effectiveness of these systems.